A new Whatsapp flaw that allows any other applications on your Android device to exfiltrate and decrypt past Whatsapp conversations has been discovered and revealed by security consultant Bas Bosschert.
“Facebook didn’t need to buy WhatsApp to read your chats,” he says, and explains: “The WhatsApp database is saved on the SD card which can be read by any Android application if the user allows it to access the SD card. And since majority of the people allows everything on their Android device, this is not much of a problem.”
The creator of a rogue application designed to do just that can hide what the app is really doing by showing a loading screen while the user is waiting for the app to start.
Whatsapp conversations have previously been stored in plain text, but newer versions of the app encrypt the databases storing them. Unfortunately, they are easily decrypted – Bosschert did it with a simple Python script, using the AES key he got from Whatsapp Xtract, a tool that backs up and displays Whatsapp chats on a computer.
Yes, Whatsapp apparently uses the same encryption code for every user.
The company has still not commented on the issue, but some users did, and have pointed out that the approach only works when the WhatsApp backup feature is used, and the feature is not turned on by default.
Whatsapp has issued an update for the app today, but it didn’t fix the issue.